Merge remote-tracking branch 'prism/master'

author: tv <tv@krebsco.de> 2016-11-11 08:49:37 +0100
committer: tv <tv@krebsco.de> 2016-11-11 08:49:37 +0100
commit: 0e13a4e2373d891e6a895e4b6ad2b42da028ba12 (patch)
tree: 1d8ca040ab86b462d6e3fd283997d56177fa4b33 /lass/2configs
parent: b837dec290e54f532cd5539c93a663ba11f68c54 (diff)
parent: e6c7b13f5990d96e269ee12b9bf6b15bfa7d5b82 (diff)
9 files changed, 68 insertions, 91 deletions
diff --git a/lass/2configs/buildbot-standalone.nix b/lass/2configs/buildbot-standalone.nix
index d6dc1b224..4397bf786 100644
--- a/lass/2configs/buildbot-standalone.nix
+++ b/lass/2configs/buildbot-standalone.nix
@@ -25,20 +25,6 @@ in {
               pollinterval=120))
     '';
     scheduler = {
-      force-scheduler = ''
-        sched.append(schedulers.ForceScheduler(
-                                    name="force",
-                                    builderNames=["fast-tests"]))
-      '';
-      fast-tests-scheduler = ''
-        # test everything real quick
-        sched.append(schedulers.SingleBranchScheduler(
-                                    ## all branches
-                                    change_filter=util.ChangeFilter(branch_re=".*"),
-                                    treeStableTimer=10,
-                                    name="fast-all-branches",
-                                    builderNames=["fast-tests"]))
-      '';
       build-scheduler = ''
         # build all hosts
         sched.append(schedulers.SingleBranchScheduler(
@@ -113,43 +99,6 @@ in {
 
       '';
 
-      fast-tests = ''
-        f = util.BuildFactory()
-        f.addStep(grab_repo)
-        for i in [ "mors", "uriel", "shodan", "helios", "cloudkrebs", "echelon", "dishfire", "prism" ]:
-          addShell(f,name="build-{}".format(i),env=env_lass,
-                  command=nixshell + \
-                      ["mkdir -p /tmp/testbuild/$LOGNAME && touch /tmp/testbuild/$LOGNAME/.populate; \
-                        make \
-                            test \
-                            target=$LOGNAME@${config.krebs.build.host.name}/tmp/testbuild/$LOGNAME \
-                            method=eval \
-                            system={}".format(i)])
-
-        for i in [ "x", "wry", "vbob", "wbob", "shoney" ]:
-          addShell(f,name="build-{}".format(i),env=env_makefu,
-                  command=nixshell + \
-                      ["mkdir -p /tmp/testbuild/$LOGNAME && touch /tmp/testbuild/$LOGNAME/.populate; \
-                        make \
-                            test \
-                            target=$LOGNAME@${config.krebs.build.host.name}/tmp/testbuild/$LOGNAME \
-                            method=eval \
-                            system={}".format(i)])
-
-        for i in [ "test-minimal-deploy", "test-all-krebs-modules", "wolf" ]:
-          addShell(f,name="build-{}".format(i),env=env_shared,
-                  command=nixshell + \
-                      ["mkdir -p /tmp/testbuild/$LOGNAME && touch /tmp/testbuild/$LOGNAME/.populate; \
-                        make \
-                            test \
-                            target=$LOGNAME@${config.krebs.build.host.name}/tmp/testbuild/$LOGNAME \
-                            method=eval \
-                            system={}".format(i)])
-
-        bu.append(util.BuilderConfig(name="fast-tests",
-              slavenames=slavenames,
-              factory=f))
-      '';
       build-pkgs = ''
         f = util.BuildFactory()
         f.addStep(grab_repo)
diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix
index 43c4d5b0d..a7d2a6cef 100644
--- a/lass/2configs/default.nix
+++ b/lass/2configs/default.nix
@@ -46,6 +46,13 @@ with import <stockholm/lib>;
         NIX_PATH = mkForce "secrets=/var/src/stockholm/null:/var/src";
       };
     }
+    (let ca-bundle = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; in {
+      environment.variables = {
+        CURL_CA_BUNDLE = ca-bundle;
+        GIT_SSL_CAINFO = ca-bundle;
+        SSL_CERT_FILE = ca-bundle;
+      };
+    })
   ];
 
   networking.hostName = config.krebs.build.host.name;
diff --git a/lass/2configs/go.nix b/lass/2configs/go.nix
index 7d694c173..f6ddbe96d 100644
--- a/lass/2configs/go.nix
+++ b/lass/2configs/go.nix
@@ -3,7 +3,7 @@
 with import <stockholm/lib>;
 {
   environment.systemPackages = [
-    pkgs.go
+    pkgs.go-shortener
   ];
   krebs.go = {
     enable = true;
diff --git a/lass/2configs/nixpkgs.nix b/lass/2configs/nixpkgs.nix
index 4ef4c6ce7..e665b6c6f 100644
--- a/lass/2configs/nixpkgs.nix
+++ b/lass/2configs/nixpkgs.nix
@@ -3,6 +3,6 @@
 {
   krebs.build.source.nixpkgs.git = {
     url = https://github.com/nixos/nixpkgs;
-    ref = "686bc9c5ccafbec2b6d2db61bd0803c2b7bc2b7d";
+    ref = "0195ab84607ac3a3aa07a79d2d6c2781b1bb6731";
   };
 }
diff --git a/lass/2configs/repo-sync.nix b/lass/2configs/repo-sync.nix
index fe782c4cf..baa4bb380 100644
--- a/lass/2configs/repo-sync.nix
+++ b/lass/2configs/repo-sync.nix
@@ -41,7 +41,7 @@ let
           mirror.url = "${mirror}${name}";
         };
         tv = {
-          origin.url = "http://cgit.ni.r/${name}";
+          origin.url = "http://cgit.ni.i/${name}";
           mirror.url = "${mirror}${name}";
         };
         lassulus = {
@@ -93,6 +93,7 @@ in {
     (sync-remote "xintmap" "https://github.com/4z3/xintmap")
     (sync-remote "realwallpaper" "https://github.com/lassulus/realwallpaper")
     (sync-remote "lassulus-blog" "https://github.com/lassulus/lassulus-blog")
+    (sync-remote "painload" "https://github.com/krebscode/painload")
     (sync-remote-silent "nixpkgs" "https://github.com/nixos/nixpkgs")
     (sync-retiolum "go")
     (sync-retiolum "much")
diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 18c771fad..2a6df06ff 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -103,27 +103,6 @@ in {
     "o_ubikmedia_de"
   ];
 
-  krebs.backup.plans = {
-    prism-sql-domsen = {
-      method = "push";
-      src = { host = config.krebs.hosts.prism;      path = "/bku/sql_dumps"; };
-      dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-sql"; };
-      startAt = "00:01";
-    };
-    prism-http-domsen = {
-      method = "push";
-      src = { host = config.krebs.hosts.prism;      path = "/srv/http"; };
-      dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-http"; };
-      startAt = "00:10";
-    };
-    prism-o-ubikmedia-domsen = {
-      method = "push";
-      src = { host = config.krebs.hosts.prism;      path = "/srv/o.ubikmedia.de-data"; };
-      dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-owncloud"; };
-      startAt = "00:30";
-    };
-  };
-
   services.phpfpm.phpOptions = ''
     sendmail_path = ${sendmail} -t
     upload_max_filesize = 100M
@@ -142,28 +121,26 @@ in {
   krebs.iptables.tables.filter.INPUT.rules = [
     { predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; }
     { predicate = "-p tcp --dport imaps"; target = "ACCEPT"; }
-    { predicate = "-p tcp --dport 465"; target = "ACCEPT"; }
   ];
 
   krebs.exim-smarthost = {
     authenticators.PLAIN = ''
       driver = plaintext
-      server_prompts = :
-      server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}"
-      server_set_id = $auth2
+      public_name = PLAIN
+      server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}}
     '';
     authenticators.LOGIN = ''
       driver = plaintext
+      public_name = LOGIN
       server_prompts = "Username:: : Password::"
-      server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}"
-      server_set_id = $auth1
+      server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}}
     '';
     internet-aliases = [
       { from = "dominik@apanowicz.de"; to = "dominik_a@gmx.de"; }
       { from = "mail@jla-trading.com"; to = "jla-trading"; }
-      { from = "testuser@lassul.us"; to = "testuser"; }
     ];
-    system-aliases = [
+    sender_domains = [
+      "jla-trading.com"
     ];
     ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
     ssl_key = "/var/lib/acme/lassul.us/key.pem";
diff --git a/lass/2configs/websites/fritz.nix b/lass/2configs/websites/fritz.nix
index d93d310da..52914f444 100644
--- a/lass/2configs/websites/fritz.nix
+++ b/lass/2configs/websites/fritz.nix
@@ -88,13 +88,7 @@ in {
     ];
   };
 
-  services.phpfpm.phpIni = pkgs.runCommand "php.ini" {
-     options = ''
-      extension=${pkgs.phpPackages.apcu}/lib/php/extensions/apcu.so
-      sendmail_path = "${sendmail} -t -i"
-    '';
-  } ''
-    cat ${pkgs.php}/etc/php-recommended.ini > $out
-    echo "$options" >> $out
+  services.phpfpm.phpOptions = ''
+    sendmail_path = ${sendmail} -t
   '';
 }
diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index b8342e148..29374e97d 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -37,6 +37,31 @@ in {
     };
   };
 
+  krebs.tinc_graphs.enable = true;
+
+  users.users.lass-stuff = {
+    uid = genid "lass-stuff";
+    description = "lassul.us blog cgi stuff";
+    home = "/var/empty";
+  };
+
+  services.phpfpm.poolConfigs."lass-stuff" = ''
+    listen = /var/run/lass-stuff.socket
+    user = lass-stuff
+    group = nginx
+    pm = dynamic
+    pm.max_children = 5
+    pm.start_servers = 1
+    pm.min_spare_servers = 1
+    pm.max_spare_servers = 1
+    listen.owner = lass-stuff
+    listen.group = nginx
+    php_admin_value[error_log] = 'stderr'
+    php_admin_flag[log_errors] = on
+    catch_workers_output = yes
+    security.limit_extensions =
+  '';
+
   users.groups.lasscert.members = [
     "dovecot2"
     "ejabberd"
@@ -53,6 +78,28 @@ in {
       (nameValuePair "/.well-known/acme-challenge" ''
         root /var/lib/acme/challenges/lassul.us/;
       '')
+      (nameValuePair "= /retiolum-hosts.tar.bz2" ''
+        alias ${config.krebs.tinc.retiolum.hostsArchive};
+      '')
+      (nameValuePair "/tinc" ''
+        alias ${config.krebs.tinc_graphs.workingDir}/external;
+      '')
+      (let
+        script = pkgs.writeBash "test" ''
+          echo "hello world"
+        '';
+        #script = pkgs.execve "ddate-wrapper" {
+        #  filename = "${pkgs.ddate}/bin/ddate";
+        #  argv = [];
+        #};
+      in nameValuePair "= /ddate" ''
+        gzip off;
+        fastcgi_pass unix:/var/run/lass-stuff.socket;
+        include ${pkgs.nginx}/conf/fastcgi_params;
+        fastcgi_param DOCUMENT_ROOT /var/empty;
+        fastcgi_param SCRIPT_FILENAME ${script};
+        fastcgi_param SCRIPT_NAME ${script};
+      '')
     ];
     ssl = {
       enable = true;
diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix
index 23f417195..55be8a8d9 100644
--- a/lass/2configs/websites/util.nix
+++ b/lass/2configs/websites/util.nix
@@ -79,6 +79,8 @@ rec {
           add_header X-Frame-Options "SAMEORIGIN";
           add_header X-XSS-Protection "1; mode=block";
           add_header X-Robots-Tag none;
+          add_header X-Download-Options noopen;
+          add_header X-Permitted-Cross-Domain-Policies none;
 
           # Path to the root of your installation
           root /srv/http/${domain}/;
author	tv <tv@krebsco.de>	2016-11-11 08:49:37 +0100
committer	tv <tv@krebsco.de>	2016-11-11 08:49:37 +0100
commit	0e13a4e2373d891e6a895e4b6ad2b42da028ba12 (patch)
tree	1d8ca040ab86b462d6e3fd283997d56177fa4b33 /lass/2configs
parent	b837dec290e54f532cd5539c93a663ba11f68c54 (diff)
parent	e6c7b13f5990d96e269ee12b9bf6b15bfa7d5b82 (diff)